ICO say UK Agents need to do more to protect tenants’ sensitive data
The Information Commissioner’s Office (ICO) have recently released their findings from an enquiry into the residential lettings and sales sector, which reveals that UK agents need to do more to comply with the data protection principles.
Looking to gain a better understanding of the data handling practices, information risks and challenges that letting agents face, 10 advisory visits were made to agents during 2014/15 as well as a data protection survey carried out by 51 organisations across the UK.
All things considered, the results reveal that agents need to be doing more in order to comply with the 8 principles of data protection that all organisations governed by the ICO must adhere to.
The key findings from the report include:
- Policies and Procedures
Only one organisation visited had a data protection policy, but 71% of survey respondents said they did.
- Data Protection Training
Most of the organisations visited and 35% of survey respondents did not provide data protection training.
- Third Party Contractors
A number of organisations visited and 57% of respondents did have contracts in place with third party contractors.
- Technical security controls including encryption and endpoint control
Most organisations had not disabled USB ports and DVD/CD drives – a big risk to the security of personal data) and 78% of respondents to the survey reported using unencrypted devices or were unsure whether they were encrypted.
- System access and password requirements
94% of of survey respondents and the majority of organisations visited had individual accounts and passwords for their staff, but passwords for approximately half were to too simple and staff should be required to change them more frequently.
Only 50% of organisations had controls in place to restrict staff’s access to personal data according to job role.
- Storage of manual records and locked screens
More organisations need to ensure files containing personal information are locked away overnight and provide document policies. A large proportion of those visited and 25% of survey respondents did not have adequate security in place.
- Fair processing, including CCTV
50% of organisations visited and 91% of survey respondents didn’t have a fair processing notice on their website explaining how customer data may be used or disclosed. Organisations faired better at providing verbal or written information about the use of personal data.
- Retention of personal data
39% of letting agents were keeping electronic information indefinitely. They faired much better at disposing of paper records after a set period of time.
The findings identified common themes and challenges faced by organisations and in the report the ICO provide many recommendations for how organisations can improve in the above areas, such as:
- Having written policies in place which also consider home workers and are updated regularly with version numbers.
- Providing training on data protection as part of inductions, with regular refreshers.
- Use encryption software and lock down computer ports and drives.
- Reviewing personal data held, identifying how long it needs to be kept for and securely destroying data once passed statutory requirements.
At Landlord Referencing we completely understand the importance of the correct handling of sensitive data, which is why we do not pass on or sell any sensitive data on to third parties. We don’t even pass on any sensitive data to our community of landlord and letting agent members.
- How exactly do landlord and letting agents reference their tenants through your system then, we hear you cry?
Well, that’s where our unique Tenant Histories come into play, making us the safest and most effective way for landlords and agents to reference their potential tenants in the UK, to date.